compliance controls are associated with this Policy definition 'Audit VMs that do not use managed disks' (06a78e20-9358-41c9-923c-fb736d382a4d)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| CIS_Azure_1.3.0 |
7.1 |
CIS_Azure_1.3.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure Virtual Machines are utilizing Managed Disks |
Shared |
The customer is responsible for implementing this recommendation. |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.
The features include
1) Default Disk Encryption
2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3) Reduction of costs over storage accounts |
link |
4 |
| CIS_Azure_1.4.0 |
7.1 |
CIS_Azure_1.4.0_7.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.1 |
7 Virtual Machines |
Ensure Virtual Machines are utilizing Managed Disks |
Shared |
The customer is responsible for implementing this recommendation. |
Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.
The features include
1) Default Disk Encryption
2) Resilience as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3) Reduction of costs over storage accounts |
link |
4 |
| CIS_Azure_2.0.0 |
7.2 |
CIS_Azure_2.0.0_7.2 |
CIS Microsoft Azure Foundations Benchmark recommendation 7.2 |
7 |
Ensure Virtual Machines are utilizing Managed Disks |
Shared |
There are additional costs for managed disks based off of disk space allocated. When converting to managed disks, VMs will be powered off and back on. |
Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.
The features include:
1) Default Disk Encryption
2) Resilience, as Microsoft will managed the disk storage and move around if underlying hardware goes faulty
3) Reduction of costs over storage accounts
Managed disks are by default encrypted on the underlying hardware, so no additional encryption is required for basic protection. It is available if additional encryption is required.
Managed disks are by design more resilient that storage accounts.
For ARM-deployed Virtual Machines, Azure Adviser will at some point recommend moving VHDs to managed disks both from a security and cost management perspective. |
link |
4 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| NL_BIO_Cloud_Theme |
U.10.2(2) |
NL_BIO_Cloud_Theme_U.10.2(2) |
NL_BIO_Cloud_Theme_U.10.2(2) |
U.10 Access to IT services and data |
Users |
|
n/a |
Under the responsibility of the CSP, administrators shall be granted access: to data with the least privilege principle; to data with the need-to-know principle; with multi-factor authentication; to data and application functions via technical measures. |
|
25 |
| NL_BIO_Cloud_Theme |
U.10.3(2) |
NL_BIO_Cloud_Theme_U.10.3(2) |
NL_BIO_Cloud_Theme_U.10.3(2) |
U.10 Access to IT services and data |
Users |
|
n/a |
Only users with authenticated equipment can access IT services and data. |
|
32 |
| NL_BIO_Cloud_Theme |
U.10.5(2) |
NL_BIO_Cloud_Theme_U.10.5(2) |
NL_BIO_Cloud_Theme_U.10.5(2) |
U.10 Access to IT services and data |
Competent |
|
n/a |
Under the responsibility of the CSP, privileges (system authorisations) for users are granted through formal procedures. |
|
25 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
| SOC_2 |
CC6.8 |
SOC_2_CC6.8 |
SOC 2 Type 2 CC6.8 |
Logical and Physical Access Controls |
Prevent or detect against unauthorized or malicious software |
Shared |
The customer is responsible for implementing this recommendation. |
Restricts Application and Software Installation — The ability to install applications
and software is restricted to authorized individuals.
• Detects Unauthorized Changes to Software and Configuration Parameters — Processes are in place to detect changes to software and configuration parameters that
may be indicative of unauthorized or malicious software.
• Uses a Defined Change Control Process — A management-defined change control
process is used for the implementation of software.
• Uses Antivirus and Anti-Malware Software — Antivirus and anti-malware software
is implemented and maintained to provide for the interception or detection and remediation of malware.
• Scans Information Assets from Outside the Entity for Malware and Other Unauthorized Software — Procedures are in place to scan information assets that have been
transferred or returned to the entity’s custody for malware and other unauthorized
software and to remove any items detected prior to its implementation on the network. |
|
47 |
| SOC_2 |
CC8.1 |
SOC_2_CC8.1 |
SOC 2 Type 2 CC8.1 |
Change Management |
Changes to infrastructure, data, and software |
Shared |
The customer is responsible for implementing this recommendation. |
Manages Changes Throughout the System Life Cycle — A process for managing
system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and
processing integrity.
• Authorizes Changes — A process is in place to authorize system changes prior to
development.
• Designs and Develops Changes — A process is in place to design and develop system changes.
• Documents Changes — A process is in place to document system changes to support ongoing maintenance of the system and to support system users in performing
their responsibilities.
• Tracks System Changes — A process is in place to track system changes prior to
implementation.
• Configures Software — A process is in place to select and implement the configuration parameters used to control the functionality of software.
• Tests System Changes — A process is in place to test system changes prior to implementation.
• Approves System Changes — A process is in place to approve system changes prior
to implementation.
• Deploys System Changes — A process is in place to implement system changes.
• Identifies and Evaluates System Changes — Objectives affected by system changes
are identified and the ability of the modified system to meet the objectives is evaluated throughout the system development life cycle.
• Identifies Changes in Infrastructure, Data, Software, and Procedures Required to
Remediate Incidents — Changes in infrastructure, data, software, and procedures
required to remediate incidents to continue to meet objectives are identified and the
change process is initiated upon identification.
• Creates Baseline Configuration of IT Technology — A baseline configuration of IT
and control systems is created and maintained.
• Provides for Changes Necessary in Emergency Situations — A process is in place
for authorizing, designing, testing, approving, and implementing changes necessary
in emergency situations (that is, changes that need to be implemented in an urgent
time frame).
Additional points of focus that apply only in an engagement using the trust services criteria for
confidentiality:
• Protects Confidential Information — The entity protects confidential information
during system design, development, testing, implementation, and change processes
to meet the entity’s objectives related to confidentiality.
Additional points of focus that apply only in an engagement using the trust services criteria for
privacy:
• Protects Personal Information — The entity protects personal information during
system design, development, testing, implementation, and change processes to meet
the entity’s objectives related to privacy. |
|
52 |
| SWIFT_CSCF_v2021 |
1.3 |
SWIFT_CSCF_v2021_1.3 |
SWIFT CSCF v2021 1.3 |
SWIFT Environment Protection |
Virtualisation Platform Protection |
|
n/a |
Secure virtualisation platform and virtual machines (VM???s) hosting SWIFT related components to the same level as physical systems. |
link |
1 |
| SWIFT_CSCF_v2021 |
2.5A |
SWIFT_CSCF_v2021_2.5A |
SWIFT CSCF v2021 2.5A |
Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
|
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
11 |
| SWIFT_CSCF_v2021 |
3.1 |
SWIFT_CSCF_v2021_3.1 |
SWIFT CSCF v2021 3.1 |
Physically Secure the Environment |
Physical Security |
|
n/a |
Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. |
link |
1 |
| SWIFT_CSCF_v2022 |
1.3 |
SWIFT_CSCF_v2022_1.3 |
SWIFT CSCF v2022 1.3 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Secure the virtualisation platform and virtual machines (VMs) that host SWIFT-related components to the same level as physical systems. |
Shared |
n/a |
Secure the virtualisation platform, virtualised machines, and the supporting virtual infrastructure (such as firewalls) to the same level as physical systems. |
link |
2 |
| SWIFT_CSCF_v2022 |
2.5A |
SWIFT_CSCF_v2022_2.5A |
SWIFT CSCF v2022 2.5A |
2. Reduce Attack Surface and Vulnerabilities |
External Transmission Data Protection |
Customer |
n/a |
Protect the confidentiality of SWIFT-related data transmitted or stored outside of the secure zone as part of operational processes. |
link |
6 |
| SWIFT_CSCF_v2022 |
3.1 |
SWIFT_CSCF_v2022_3.1 |
SWIFT CSCF v2022 3.1 |
3. Physically Secure the Environment |
Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage. |
Shared |
n/a |
Physical security controls are in place to protect access to sensitive equipment, hosting sites, and storage. |
link |
8 |
|
U.10.2 - Users |
U.10.2 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
25 |
|
U.10.3 - Users |
U.10.3 - Users |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
|
U.10.5 - Competent |
U.10.5 - Competent |
404 not found |
|
|
|
n/a |
n/a |
|
24 |
| UK_NCSC_CSP |
10 |
UK_NCSC_CSP_10 |
UK NCSC CSP 10 |
Identity and authentication |
Identity and authentication |
Shared |
n/a |
All access to service interfaces should be constrained to authenticated and authorised individuals. |
link |
25 |